b"The Inspector General\nNational Archives and Records Administration\n\n                                     INDEPENDENT AUDITOR\xe2\x80\x99S REPORT\n\nWe have audited the accompanying Consolidated Balance Sheets of the National Archives and Records\nAdministration (NARA) as of September 30, 2011 and 2010, and the related Statements of Net Cost,\nChanges in Net Position, and Budgetary Resources (the last statement as restated for 2010) for the years\nthen ended. These financial statements are the responsibility of NARA management. Our responsibility\nis to express an opinion on the financial statements based on our audits.\n\nWe conducted our audits in accordance with auditing standards generally accepted in the United States\nof America; standards applicable to financial statement audits contained in Government Auditing\nStandards, issued by the Comptroller General of the United States; and Office of Management and\nBudget (OMB) audit guidance. Those standards require that we plan and perform the audit to obtain\nreasonable assurance about whether the financial statements are free of material misstatement. An\naudit includes examining, on a test basis, evidence supporting the amounts and disclosures in the\nfinancial statements. An audit also includes assessing the accounting principles used and significant\nestimates made by management, as well as evaluating overall financial statement presentation. We\nbelieve that our audits provide a reasonable basis for our opinion.\n\nIn our opinion, the financial statements referred to above present fairly, in all material respects, the\nfinancial position of NARA as of September 30, 2011 and 2010, and its net cost, changes in net position,\nand budgetary resources (the last as restated for 2010) for the years then ended, in conformity with\naccounting principles generally accepted in the United States of America.\n\nAs discussed in Note 21 to the financial statements, the fiscal year (FY) 2010 Statement of Budgetary\nResources has been restated to correct a material misstatement related to the year-end revenue accrual\nfor unfilled customer orders. We previously issued our auditor\xe2\x80\x99s report dated November 12, 2010, on\nthe FY 2010 financial statements. The section of our FY 2010 auditor\xe2\x80\x99s report dealing with the FY 2010\nStatement of Budgetary Resources should no longer be relied upon, as that statement was materially\nmisstated. Our FY 2010 auditor\xe2\x80\x99s report is replaced by this report, which provides our opinion on the FY\n2010 restated financial statements.\n\nWe also issued our report dated November 12, 2010, on internal control over financial reporting and\ncompliance with laws and regulations as of September 30, 2010. In that report, we stated that we did\nnot find any material weaknesses. In our FY 2011 audit, we determined that there was a material\nweakness as of September 30, 2010. Our report on internal control for FY 2011 describes this material\nweakness.\n\nThe information in Management\xe2\x80\x99s Discussion and Analysis and Required Supplementary Information\nsections is not a required part of the consolidated financial statements, but is supplementary\ninformation required by accounting principles generally accepted in the United States of America. We\ndid not audit this information and, accordingly, we express no opinion on it. We did, however, compare\n\n                                                    1\n\n\n\x0cthis information for consistency with the financial statements and discussed methods of measurement\nand presentation with NARA officials. On the basis of this limited work, we found no material\ninconsistencies between the financial statements and U.S. generally accepted accounting principles or\nOMB financial reporting requirements.\n\nOur audits were conducted for the purpose of forming an opinion on the consolidated financial\nstatements taken as a whole. The information in the Message from the Chief Financial Officer,\nPerformance Section, and Other Accompanying Information is presented for purposes of additional\nanalysis and is not required as part of the consolidated financial statements. This information has not\nbeen subjected to auditing procedures and, accordingly, we express no opinion on it.\n\nIn accordance with Government Auditing Standards, we also issued two other reports dated November\n14, 2011. The first report is on our consideration of NARA\xe2\x80\x99s internal control over financial reporting and\ncompliance with laws and regulations. The second report is on our tests of NARA\xe2\x80\x99s compliance with\ncertain provisions of laws and regulations and other matters. Those reports are an integral part of an\naudit performed in accordance with Government Auditing Standards and should be read in conjunction\nwith this report in considering the results of our audits.\n\nCOTTON & COMPANY LLP\n\n\n\n\nColette Y. Wilson\nPartner\n\nAlexandria, Virginia\nNovember 14, 2011\n\n\n\n\n                                                     2\n\n\n\x0cThe Inspector General\nNational Archives and Records Administration\n\n                           INDEPENDENT AUDITOR\xe2\x80\x99S REPORT ON INTERNAL CONTROL\n\nWe have audited the financial statements of the National Archives and Records Administration (NARA)\nas of September 30, 2011 and 2010 (as restated), and have issued our report thereon dated November\n14, 2011. That report contained our unqualified opinion on the financial statements for fiscal year (FY)\n2011 and on the restated financial statements for FY 2010. We conducted our audits in accordance with\nauditing standards generally accepted in the United States of America; standards applicable to financial\naudits contained in Government Auditing Standards, issued by the Comptroller General of the United\nStates; and Office of Management and Budget (OMB) audit guidance.\n\nNARA management is responsible for establishing, maintaining, and assessing internal control to provide\nreasonable assurance that the broad control objectives of the Federal Managers\xe2\x80\x99 Financial Integrity Act\nare met. The objectives of internal control are as follows:\n\n    \xe2\x80\xa2\t\t Financial reporting: Transactions are properly recorded, processed, and summarized to permit\n        the preparation of financial statements in conformity with U.S. generally accepted accounting\n        principles, and assets are safeguarded against loss from unauthorized acquisition, use, or\n        disposition.\n    \xe2\x80\xa2\t\t Compliance with laws and regulations: Transactions are executed in accordance with (1) laws\n        governing the use of budget authority, (2) other laws and regulations that could have a direct\n        and material effect on the financial statements, and (3) any other laws, regulations, and\n        government-wide policies identified by OMB audit guidance.\n\nIn planning and performing our audits, we considered NARA\xe2\x80\x99s internal control over financial reporting\nand over compliance with laws and regulations. We did this as a basis for designing our procedures for\nauditing the financial statements and not to express an opinion on internal control. Accordingly, we do\nnot express an opinion on internal control over financial reporting and over compliance with laws and\nregulations.\n\nOur consideration of internal control was for the limited purpose described in the previous paragraph.\nThus, it was not designed to identify all deficiencies in internal control that might be deficiencies,\nsignificant deficiencies, or material weaknesses; therefore, there can be no assurance that all\ndeficiencies, significant deficiencies, or material weaknesses have been identified. As discussed below,\nhowever, we identified a deficiency in internal control that we consider to be a material weakness.\n\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to prevent, or\ndetect and correct misstatements on a timely basis. A material weakness is a deficiency, or combination\n                                                    1\n\n\n\x0cof deficiencies, in internal control, such that there is a reasonable possibility that a material\nmisstatement of an entity's financial statements will not be prevented, or detected and corrected on a\ntimely basis. We consider the following deficiency in NARA's internal control to be a material weakness.\n\nWe issued our report dated November 12, 2010, on internal control over financial reporting and\ncompliance with laws and regulations as of September 30, 2010. In that report, we stated that we did\nnot identify any material weaknesses. In our FY 2011 audit, we determined that there was a material\nweakness as of September 30, 2010. As a result of this material weakness, management failed to detect\nan $11.3 million misstatement affecting the Statement of Budgetary Resources (SBR). The FY 2010 SBR\nwas restated, and the misstatement is described in Note 21 to the financial statements.\n\nThis material weakness as of September 30, 2010 is described below. This material weakness still exists\nas of September 30, 2011.\n\nReview of Manual Journal Entries\n\nManagement does not have an effective process for the analysis and review of manual, non-routine\njournal entries, especially those made after the normal adjustment and review process. As a result,\nmisstatements to the financial statements might not be detected and corrected.\n\nAt the end of FY 2010, NARA\xe2\x80\x99s Revolving Fund (BCR) made an error in recording a year-end accrual. An\nincorrect methodology and posting logic was used and the BCR director did not detect or prevent the\nerror during the review and approval of the journal entry. Additional controls were not in place to detect\nand prevent the error from being reported in the financial statements, as the Financial Reports Staff\n(BCF), the organization responsible for preparing the financial statements, was not required to approve\nthe journal entry from BCR and did not review it as it was prepared and submitted after the normal\nadjustment and review period. This journal entry contained erroneous postings that resulted in an\noverstatement of Budgetary Resources and an understatement of Obligated Balances on the Statement\nof Budgetary Resources in the amount of $11.3 million.\n\nBCF discovered the FY 2010 error during the normal year-end closing and financial statement\npreparation process for FY 2011. However, as of September 30, 2011, management had not developed\nadequate control procedures regarding the review of manual journal entries prepared and submitted\nsubsequent to the normal adjustment period. Accordingly, we consider this weakness to be a material\nweakness for FY 2011 as well.\n\nGovernment Accountability Office\xe2\x80\x99s (GAO) Internal Control Standards, GAO/AIMD-00-21.3.1 (11/99)\npage 11 states:\n\n    Control activities occur at all levels and functions of the entity. They include a wide range of\n    diverse activities such as approvals, authorizations, verifications, reconciliations, performance\n    reviews, maintenance of security, and the creation and maintenance of related records which\n    provide evidence of execution of these activities as well as appropriate documentation.\n\nWe recommend that:\n\n    1.\t\t BCF develop, document, and implement procedures that require the review and approval of all\n         manual journal entries prepared and submitted during and after the normal adjustment period.\n         In addition, management should communicate these procedures to all involved in the process.\n\n                                                     2\n\n\n\x0c    2.\t\t BCR, as well as other offices, thoroughly review the methodologies and supporting\n         documentation for all journal entries approved and submitted for financial reporting throughout\n         the year (as required by current procedures).\n\nNARA\xe2\x80\x99s management response to the material weakness identified in our report is included as Appendix\nA to this report. We did not audit NARA\xe2\x80\x99s response and, accordingly, we express no opinion on it.\n\nSTATUS OF PRIOR-YEAR RECOMMENDATIONS\n\nWe reviewed the status of NARA\xe2\x80\x99s corrective actions with respect to the significant deficiency from the\nprior-year report on internal control. Appendix B to this report provides details of the status of\nrecommendations.\n\nIn addition to the above, we noted certain matters involving internal control and its operation that will\nbe reported to NARA management in a separate letter. These include the remaining open items in\nAppendix B.\n\nBecause of inherent limitations in internal control, misstatements due to error or fraud, losses, or\nnoncompliance may nevertheless occur and not be detected. We also caution that projecting our\nevaluation to future periods is subject to the risk that controls may become inadequate because of\nchanges in conditions or that the degree of compliance with controls may deteriorate.\n\nThis report is intended solely for the information and use of NARA management, NARA Office of\nInspector General, the Government Accountability Office, OMB, the Congress of the United States, and\nthose who have read NARA\xe2\x80\x99s financial statements, our report on those financial statements, and our\nreport on compliance with laws and regulations. This report is not intended to be and should not be\nused by anyone other than those parties.\n\nCOTTON & COMPANY LLP\n\n\n\n\nColette Y. Wilson, CPA\nPartner\n\nAlexandria, Virginia\nNovember 14, 2011\n\n\n\n\n                                                    3\n\n\n\x0c    APPENDIX A\n\n\nMANAGEMENT COMMENT\n\n\n\x0c     ~\n\n     NATIONAL \n\n    ARCHIVES \n\n    ARCHIVIST oJthe\n    UNITED STATES\n    DAVID S. FERRIERO\n         T    202.357.5900\n         ~.   202.357.590 I\n      dal'idfcrricro@/lllr'l\xc2\xb7SOI'\n\n\n\n\n   IONovember2011                                                ~\n   To:                 Paul Brachfeld, Inspector General   A'kY\n   From:               David S. Ferriero, Archivist of the Unled States\n   Subject:            Management response to FY 2011 Audit Report\n\n   Thank you for the opportunity to respond to your reports, Independent Auditor 's Report on\n   Internal Control and Independent Auditor 's Report on Compliance with Laws and Regulations.\n\n   NARA acknowledges the challenges identified in these reports and concurs in all recommendations of\n   the independent auditor. We are disappointed with the new material weakness over financial reporting.\n   NARA is instituting a broad range of measures which will strengthen internal controls over financial\n   reporting. In particular, NARA is developing formal policies governing the review and approval of manual\n   journal entries and assuring accountability for these adjustments, as recommended by the independent auditor.\n\n   NARA will continue to work diligently to address the challenges identified in FY 2011, improve\n   agency financial management, and ensure the accuracy and reliability of agency financial\n   statements. I would like to thank the Office of Inspector General and Cotton & Company, LLP\n   for their efforts and cooperation through the audit process.\n\n\n\n\n NATIONAL ARCHIVES                   alld\n RECORDS ADMINISTRATION \n\n\n700 PENNSYLVANIA AVENUE. NW \n\nWASHINGTON. DC 20408 0001 \n\n      1\\'\\\\'11'.   arch il'cs.gol'\n\x0c                 APPENDIX B\n\n\nNATIONAL ARCHIVES AND RECORDS ADMINISTRATION\n\n\n   STATUS OF PRIOR-YEAR RECOMMENDATIONS\n\n\n             SEPTEMBER 30, 2011\n\n\n\x0c                                                APPENDIX B\n\n\n                               NATIONAL ARCHIVES AND RECORDS ADMINISTRATION\n\n\n                                  STATUS OF PRIOR-YEAR RECOMMENDATIONS\n\n\n                                            SEPTEMBER 30, 2011\n\n\n\n We present below the status of recommendations from our prior-year reports on internal control over\n financial reporting and compliance with laws and regulations. In our FY 2010 report, we found a\n significant deficiency related to various components of NARA\xe2\x80\x99s information technology. NARA has made\n progress in this area, and some of our recommendations have been closed. Recommendations that\n remain open are considered deficiencies and will be reported in a separate letter to management.\n\nCondition/Audit Area and Recommendations                           Status as of September 30, 2011\nAccess Controls\n1. Implement a process for managing NARANet accounts                            Open\n     that:\n      a) Ensures all accounts are tied to a specific\n           individual who has the responsibility for\n           managing the account and determining the\n           ongoing need for non-login accounts.\n      b) Ensures all access and privileges of terminated\n           employees are promptly removed.\n2. Implement a process for managing RCPBS accounts\n     that:\n      a) Requires a recertification of all system accounts                      Closed\n           at least annually.\n      b) Implements a more restrictive password age                             Open\n           control that is consistent with requirements for\n           federal information systems.\n3. Ensure that supervisors receive training in their exit                       Open\n     clearance process responsibilities, including alerting\n     applicable personnel when employees and\n     contractors under their supervision no longer require\n     access.\n4. Develop and implement policies and procedures that                           Open\n     prohibit RCPBS users from having multiple accounts as\n     well as the ability to enter and approve their own\n     transactions.\n5.\t\t Require a record of logged-in users creating account                       Open\n     requests to show that requests are being generated\n     by a supervisor, not the user.\n6.\t\t Implement the following recommendations related to                         Open\n     NARANet logging and monitoring:\n      a)\t\t Reconfigure audit settings within the NARANet\n           Novell environment to log group membership add\n           and delete activities.\n      b)\t\t Continue with the implementation of Netforensic\n           and, once in place, ensure that procedures exist\n           for identifying key events that will be alerted to\n\x0cCondition/Audit Area and Recommendations                        Status as of September 30, 2011\n          and reviewed by management on a periodic basis.\n     c)\t\t Continue with efforts to audit account creations,\n\n\n          deletions, and modifications within OFAS and\n\n\n          develop standard procedures for regularly\n\n\n          reviewing and monitoring application audit logs.\n\n\n     d)\t\t Enable logging of all events within RCPBS,\n\n\n          required by NARA IT Security Methodology for\n\n\n          Audit and Accountability, and develop standard\n\n\n          procedures for regularly reviewing and\n\n\n          monitoring application activity logs.\n\n\n7.\t\t Assign one individual to the shared OFAS account, or                   Closed\n     split responsibilities of the shared account to\n     additional administrator accounts, to allow\n     accountability of administrator activities to be\n     established.\nContingency Planning\n8.\t\t Update the contingency and disaster recovery plans                     Closed\n     for RCPBS to reflect current operating conditions.\nConfiguration Management\n9.\t\t Improve upon NARA\xe2\x80\x99s current router and firewall                        Closed\n     build process by updating their standard configuration\n     file to be based on NIST-approved security checklists\n     for router and firewall platforms and devices in use by\n     NARA. We also recommend that the final standard\n     configuration be documented and compared against\n     devices to monitor for configuration compliance on a\n     periodic basis.\nSecurity Management\n10. Complete risk assessments for all NARANet                               Closed\n    components.\n11. Finalize and approve security plans for all NARANet                     Closed\n    components.\n12. Certify each NARANet component, then certify and                        Open\n    accredit the entire NARANet general support system.\n13. Implement policies and procedures which require the\t\t                   Closed\n    completion of security and awareness training before\n    being granted access to NARA information systems.\n\x0cThe Inspector General\nNational Archives and Records Administration\n\n                       INDEPENDENT AUDITOR\xe2\x80\x99S REPORT ON COMPLIANCE AND OTHER MATTERS\n\nWe have audited the financial statements of the National Archives and Records Administration (NARA)\nas of September 30, 2011 and 2010 (as restated), and have issued our report thereon dated November\n14, 2011. That report contained our unqualified opinion on the financial statements for fiscal year (FY)\n2011 and on the restated financial statements for FY 2010. We conducted our audits in accordance with\nauditing standards generally accepted in the United States of America; standards applicable to financial\naudits contained in Government Auditing Standards, issued by the Comptroller General of the United\nStates; and Office of Management and Budget (OMB) audit guidance.\n\nNARA management is responsible for complying with laws and regulations applicable to NARA. As part\nof obtaining reasonable assurance about whether NARA\xe2\x80\x99s financial statements are free of material\nmisstatements, we performed tests of NARA\xe2\x80\x99s compliance with certain provisions of laws and\nregulations that have a direct and material effect on the financial statements. We did not test\ncompliance with all laws and regulations applicable to NARA. We limited our tests of compliance to\nthose provisions of laws and regulations that OMB audit guidance requires we test if deemed applicable\nto the financial statements for the fiscal year ended September 30, 2011. We caution that\nnoncompliance may have occurred and may not have been detected by these tests, and that such\ntesting may not be sufficient for other purposes.\n\nOur tests of compliance with laws and regulations described in the preceding paragraph disclosed no\ninstances of material noncompliance that are required to be reported under Government Auditing\nStandards and OMB audit guidance. Providing an opinion on compliance with certain provisions of laws\nand regulations was not, however, an objective of our audit: accordingly we do not express such an\nopinion.\n\nThis report is intended solely for the information and use of NARA management, NARA Office of\nInspector General, the Government Accountability Office, OMB, the Congress of the United States, and\nthose who have read NARA\xe2\x80\x99s financial statements, our report on those financial statements, and our\nreport on internal control. This report is not intended to be and should not be used by anyone other\nthan those parties.\n\nCOTTON & COMPANY LLP\n\n\n\n\nColette Y. Wilson\nPartner\n\nAlexandria, Virginia\nNovember 14, 2011\n\x0c"